A “firewall” refers to a network security measure that controls incoming and outgoing network traffic based on a set of permit and deny rules or conditions, referred to herein as firewall policy rules. The task of defining and maintaining network firewall policies has traditionally fallen to a security specialist or team of security specialists within the organization that owns or manages the network. In various existing networks, the network employs a formal request process which will allow security specialists of the network to add, modify, or remove different firewall policy rules associated with different machines/devices or sub-networks (or subnets) of the network. Each request is usually manually reviewed by one or more of the security specialists before being added to the firewall policy or rejected for some business or security-related reason.
Large companies are rapidly moving toward shared environments, comprising cloud models, where different software applications and other services for different users, companies or organizations can be hosted, managed and ran at a remote location and made available to a plurality of other users via network. These applications and services can reside in physical machines or devices of the network as well as in virtual machines (“VMs”) or devices of the network that can have resources added or removed on demand, instantiated, quiesced, and re-instantiated on other peer hardware. These types of solutions provide flexibility and can optimize individual devices for maximum utilization and return-on-investment (ROI) compared to fixed hardware allocation.
The move towards cloud computing disrupts the traditional firewall policy implementation model by transferring much of the security responsibility directly to the owner, creator or manager of the cloud based application or service. These users are not typically security experts, even if they have years of experience in the information technology, software engineering or data processing industries. This can easily lead an inexperienced user to misconfigure the firewall policies associated with their application or service, leaving their application or service and associated information vulnerable to a remote attacker.